Who Will Follow Facebook In Buying Customer Leaked Databases?

Facebook has taken the privacy of their customers seriously, as their Chief Security Officer (CSO) Alex Stamos has stated that the company has engaged in black market purchases of leaked or hacked databases that contain Facebook account credentials.

A Preface To The Facebook Black Market Trade

Facebook has publicly disclosed that it has bought leaked databases that contain Facebook credentials of their customers. (Note that I don’t say users.) Everything posted on Facebook by a user of the social network is used to build a profile around the person. This information is then used to create personalized ads that deliver sponsored content to them.

To this date, the mechanism has been one of the most successful revenue streams that we have witnessed thus far. Facebook’s Q3 2016 report shows that the company is also stepping on the shoes of video sharing services, which will also boost the community.

The fact that the social network has gone to such lengths to protect the privacy of their users means that they are very serious about withholding and preserving their user base. Nowadays, there is hardly any living active Internet user who has not interacted with Facebook. Essentially, the Facebook security team or whoever is handling these issues must have learned of the recent large database leaks that include mainly adult dating sites.

In this day and age, its very difficult not to imagine that you might get hacked as criminals continue to develop exploits and dangerous viruses, such as ransomware to wreak havoc on their targets. In many cases, the victims are blackmailed by the hackers to deliver large sums of money to prevent data leakage and exposure of their corporate secrets.

Facebook Has Stepped In By Buying From The Underground Markets

Facebook has taken an alternative and proactive approach when it comes to defending the security of their users. The social network has taken the controversial step to pay the hackers for the compromised databases that have been leaked.

The Facebook security team has then cross-referenced the contained account credentials (usernames, emails and passwords) to the encrypted ones its platform uses. When a match is found, the team issues a mandatory password reset for that affected user.

While this has a positive side, paying hackers for providing the data can have serious consequences. Several security experts and technology analysts have stated that this only reinforces their criminal business model. We have witnessed that there is a sharp rise of hacker attacks, ransomware virus development and coordinated large-scale DDOS attacks. Add to that the growing security vulnerabilities in IoT devices which have been used in actual campaigns against various targets.

The security experts are worried that Facebook’s decision to engage the hackers might “inspire” more criminals to attack large sites that may contain lucrative account credentials.

It would be good to create a proactive solution that can deal with consequences of a hacker attack when it comes to data, much like the bug bounty programs, which are used to fight off exploits of software vulnerabilities. However, paying the criminals is probably not the best idea.

What the online services need is a clear understanding that when they are in possession of high-risk and sensitive information about their users, such as their passwords, they must protect it with all means necessary. That is something that everyone should strive to do to the best of their ability. However, the problem is that not every security expert can think from the user’s perspective.

A lot of users don’t change their passwords, and one user’s password stolen from one service could probably work on another site that they use.

The other fact is that it’s relatively easy to guess most passwords. Every year, we receive reports that users use dictionary words and simple strings like “1234,” “password,” “secret” and even “god” to protect their accounts.

It would be interesting to see if another company will disclose if it has embraced such a strategy as part of its security practice in protecting the data of its users.

About the Author:Martin Beltov graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast, he enjoys writing about the latest threats and mechanisms of intrusion. He mainly contributes to the Best Security Search website.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.